I agree that srcdoc without default sandbox might give false sense of security[1]. There were also suggestions that data: URIs already do what @srcdoc does, with the exception of fail-safety for sandboxed content in HTML4 UAs.
My suggestion is to replace @srcdoc with @sandboxsrc.
@sandboxsrc takes URI. Use of this attribute implies sandbox. When @sandboxsrc is used @src is ignored.
It allows use of sandboxed data: URIs new UAs without leaving old UAs insecure, and leaves @src for fallback for HTML4 UAs.
Because of need to percent-escape or base64-encode data: URI are less efficient than @srcdoc is. This could be remedied by defining preprocessing step on @sandboxsrc (and @src?) that adds necessary percent-escaping to the value when value starts with data:.
<iframe sandbox srcdoc="<h1>Hello</h1>">
would be changed to:
<iframe sandboxsrc="data:text/html,<h1>Hello</h1>">
<iframe sandbox src="hello.html-sandboxed">
would be equivalent to:
<iframe sandboxsrc="hello.html-sandboxed">
and allow:
<iframe sandboxsrc="hello.html-sandboxed" src="hello.txt">
--
regards, Kornel Lesiński
[1] http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2010-August/028274.html